Flaws in connected devices go beyond passwords | CSMonitor.com

In-brief: cybercriminals in recent weeks have amassed a powerful online weapon from compromised internet-linked cameras and video recorders prompting warnings to consumers to change default passwords on their gadgets. But experts warn that changing passwords or making them stronger won’t solve the problem. (Editor’s note: this story is cross posted from Christian Science Monitor Passcode. You can read the full text of the article there.)

Cybercriminals in recent weeks have amassed a powerful online weapon from compromised internet-linked cameras and video recorders prompting warnings to consumers to change default passwords on their gadgets. But experts warn that changing passwords or making them stronger won’t solve the problem.

Cyber criminals and script kiddies have used weak, easily guessed and default passwords on Internet connected cameras and other devices to assemble botnets of hundreds of thousands of infected devices. Those botnets, in turn, have been the lynch pin in massive and distributed denial of service attacks on websites like Krebs on Security as well as on Dyn, the managed domain name system (DNS) provider that knocked out access to leading web sites in an October 21 attack.

But weak passwords aren’t the only security issues that come along with the fast-growing Internet of Things (IoT) marketplace, experts warn. A host of problems – from how devices connect to the internet to how they are manufactured – are leading to increasing worries over how attackers could take advantage of insecurities in connected devices.

For example, research from the security firm Flashpoint and others shows that many of the devices compromised by Mirai that participated in the Dyn attack came from a single Chinese supplier, XiongMai Technology.

Xiongmai’s hardware and software reside in many brands of closed-circuit cameras, digital video recorders, and other devices and contain a hidden, administrative account that could not be changed by users.But focusing on weak passwords with IoT devices alone risks missing the larger point, security experts warn.

“These devices have tons of issues,” says Billy Rios, the founder of the security firm Whitescope and a recognized expert on the security of embedded systems. “The reason that Mirai just exploited weak passwords as that it was all it needed to do. Why put more effort into it than you need to?”

A bigger problem than the default password, says Mr. Rios, is the shoddy manner in which internet-connected objects like cameras are deployed, allowing even nontechnical criminals and mischief makers to locate them with a simple online search.

Author: PaulI'm an experienced writer, reporter and industry analyst with a decade of experience covering IT security, cyber security and hacking, and a fascination with the fast-emerging "Internet of Things."